[olug] Minimalist network security

[Phil Brutsche]

Eric Penne wrote:
> I work in a Windows environment. We have a single w2k server on an
> IBM netfinity 5100.  this server does file, print, dhcp, and dns
> forwarding. It is also the domain controller for the company.  We are
> completely NAT with no open ports through our router.  The problem is
> that we are affiliated with Southeast Community College and they have
> classes here. Basic computer classes (mac and windows for beginners)
> up to Advanced Cisco routing classes.  I'm scared by the number of
> people that have access to our network that I don't know.  I lock
> down the server pretty tight and don't allow access to any of the
> shared drives without a login.

If you're scared as to what they might be doing on your network, take
them off your network.

Set up a sort of DMZ on your firewall and give those computer students
the only thing they *really* need - internet access.

Of course, this only works if the students have a dedicated classroom
separate from everything else ;)

> I was wondering if there was a way to monitor all the network traffic
> on our network and look for suspicious activity.  I know "of" many of
> the security tools in Linux but more specifically I'm wondering how
> to monitor the traffic through our switch.  Which of the various
> security tools can be "promiscuous" and monitor all the traffic?  How
> do you set up the switch and/or PC to be "promiscuous"?

If you can separate the classroom computers from the others, you could 
force all your internet traffic through a squid proxy (basically give 
them web access only) and monitor what they do through that.

No matter what it would be a *really* good idea to turn on auditing on 
the Win2k server - it can be set to log failed logins.

And keep up to date on your security updates!  All the auditing in the 
world if you get infected with the RPC worm due to those students (hence 
the DMZ idea).

-- 

Phil Brutsche
phil at brutsche.us